We're logging user events using Javascript and a third-party logging service. The API key is hardcoded in JS. The logging service restricts the API key to our domain. I'm assuming it looks at the referrer to know the domain that's making the request.

However, attackers can easily write a script to call the logging service. The script would use our domain as the referrer and use our API key. Our competitors can spam our logs to make analysis impossible and waste our time responding to alerts.

Is it possible to protect against this? Even if we use our server as a proxy to call the third-part API, attackers can just call our proxy.

1 Answer
1

The answer is no. If you are giving the API key out publicly and the API key is the only secret required to log, then an attacker can easily obtain the API key and create log events.

You may be able to throttle based on IP address or use other attack detection to prevent abuse, but it depends on the control you have over the logging service and what it supports.

If you were to serve a unique API key to each client, you could then set up logic per-key saying things like: "This key may only be used for 100 log events before it expires and it is throttled to X events/sec." Of course, an attacker can still start requesting many new keys, so you'd have to detect if this is happening and try to limit by source IP again. Similar problem to before.